handshake in SSL_CTX-pool mode (-l, TC_SSL_CTX_POOL) crashes with an access violation (0xC0000005) on Windows when built against OpenSSL master (4.1.0-dev). -s / -p / -P are fine, and -l is fine against 3.0–4.0. It crashes at threadcount=1, so it's deterministic. This fails the nightly perf pipeline on every Windows worker (only for the master build).
Cause
source/handshake.c:free_ctx_pool() frees the OSSL_LIB_CTX before the SSL_CTX created from it:
OSSL_LIB_CTX_free(ctx_pool[i]->libctx); /* (1) */
SSL_CTX_free(ctx_pool[i]->sctx); /* (2) server SSL_CTX holds the key */
SSL_CTX_free(ctx_pool[i]->cctx);
In -l mode sctx is SSL_CTX_new_ex(libctx, …) with the server key loaded, so its EVP_KEYMGMT lives in libctx. Freeing libctx first makes SSL_CTX_free release the key through a dangling keymgmt → AV in evp_keymgmt_freedata (crypto/evp/keymgmt_meth.c:404). All objects from an OSSL_LIB_CTX must be freed before the libctx.
Fix
Reorder so the SSL_CTXs are freed before the OSSL_LIB_CTX:
SSL_CTX_free(ctx_pool[i]->sctx);
SSL_CTX_free(ctx_pool[i]->cctx);
OSSL_LIB_CTX_free(ctx_pool[i]->libctx);
Confirmed: this makes handshake -t -l run cleanly against the same master build.
Reproduce
build\handshake.exe -t -l -s <openssl-master>\test\certs 1 # crash 0xC0000005
(The pipeline logs rc: 5 = 0xC0000005 & 0xFF, from the PowerShell exit $p.ExitCode wrapper.) Affected: OpenSSL master only, Windows only (Linux/macOS/FreeBSD pass).
handshakein SSL_CTX-pool mode (-l,TC_SSL_CTX_POOL) crashes with an access violation (0xC0000005) on Windows when built against OpenSSL master (4.1.0-dev).-s/-p/-Pare fine, and-lis fine against 3.0–4.0. It crashes atthreadcount=1, so it's deterministic. This fails the nightly perf pipeline on every Windows worker (only for themasterbuild).Cause
source/handshake.c:free_ctx_pool()frees theOSSL_LIB_CTXbefore theSSL_CTXcreated from it:In
-lmodesctxisSSL_CTX_new_ex(libctx, …)with the server key loaded, so itsEVP_KEYMGMTlives inlibctx. Freeinglibctxfirst makesSSL_CTX_freerelease the key through a dangling keymgmt → AV inevp_keymgmt_freedata(crypto/evp/keymgmt_meth.c:404). All objects from anOSSL_LIB_CTXmust be freed before the libctx.Fix
Reorder so the
SSL_CTXs are freed before theOSSL_LIB_CTX:Confirmed: this makes
handshake -t -lrun cleanly against the same master build.Reproduce
(The pipeline logs
rc: 5=0xC0000005 & 0xFF, from the PowerShellexit $p.ExitCodewrapper.) Affected: OpenSSL master only, Windows only (Linux/macOS/FreeBSD pass).